Without that rule, the final drop rule catches the request and drops everything and no updates are possible. There is no real WAN interface...all interfaces are LAN.The point is, that i ve a rule which does not do what it is supposed to do...

It seems to be a bug somehow. With the GUI i changed the rule back to the original version with the inverted "internal"-networks alias (contains 3 networks) and checked the xml file and the "-" in the port range field isn't there anymore and the rule now works as intended. Unfortunately it's right now unclear for me how to replicate the error to fill in a bug report, but i'll try. Actually i had another problem a few days ago, where the rules also had an inverted alias as destination. The problem vanished after edting the rules a few times without me knowing what went wrong, because the rules looked exactly the same at the end as they looked in the beginning - so i guess(!) there is something odd with the generation of the xml file.